►
From YouTube: End Users Working Group (March 2, 2023)
Description
Meeting notes: https://docs.google.com/document/d/1KQalBRzfRBvsqh73JUYfp1KG-AJdXcv2Z8LTIFoQP8c
A
A
Yeah
I
have
neither
I
have
two
backgrounds
that
I've
that
I
use
and
it
just
started
changing
them
rant
literally
randomly
hurry
on.
F
E
Good
morning,
crew
I
remember
from
my
IRC
days.
They
have
this
universal
greetings
time.
Oh
wait
where
it's
like.
If.
D
E
B
Good
way
to
start
so
let
me
get
the
notes
pasted
into
chats
good
morning.
Jack.
B
So
yeah,
if,
if
people
can
take
a
look
at
the
notes
and
just
add
their
names,
the
notes
and
agenda
that'd
be
great.
B
D
B
B
B
So
good
morning,
everyone
we've
got
an
agenda
to
go
through
first
of
all,
As
traditional
is
there
anyone
who
could
act
as
scribe
for
us
today
and,
as
is
traditional,
thank
you
very
much
Dan
for
your
continued
efforts
to
to
keep
us
in
in
sync,
with
the
appropriate
scribing
best
in
the
industry,
not
even
his
day.
Job.
H
At
least
I'll
be
known
for
something
you
know,
I
mean
you
know
you
get
you.
You
gotta
pick
your
your
thing.
B
Absolutely
the
cyber
security
thing.
B
Completely
agree,
so
we
should
start
with
any
new
friends.
So
does
anyone
want
to
raise
the
hand
given
a
bit
of
an
introduction
and
say
who
they
are
where
they're
from
sort
of
Interest
that's
sort
of
thing
any
take
us.
J
I
am
a
new
friend
hi
Oh
yay,
hey
crops
clapping.
For
me,
my
name
is
Jessica
I
work
at
Intel
I'm,
the
director
of
the
open
source
program
office-
and
this
is
my.
This
is
my
first
time
attending
an
open,
ssf
working
group
meeting
but
I'm
interested
in
getting
to
know
you
all
and
sharing
with
you,
some
stuff
that
that
my
team
has
been
working
on.
J
You
want
to
know
interests,
yeah
I,
don't
know,
I
have
no
interest
outside
of
work.
No,
that's
not
true!
I
love!
Reading,
I
love,
film,
I,
love
hanging
out
with
my
daughter
and
our
dog
and
our
cat
and
attempting
to
Garden.
C
Yeah
hi
everyone,
I'm
Alexi,
I'm
working
at
redhead,
but
here
I'm
in
a
less
of
my
official
capacity,
but
rather
as
an
open
source
enthusiastic
for
many
years,
I
used
to
be
a
translator
at
the
infrastructure
initiative,
best
practices,
badge
initiative,
the
the
the
application
and
basically
I,
get
stuck
around
the
whole
Affair
and
I
I
kept
using
the
the
framework
that
has
been
devised
back
then
in
my
own
open
source
projects,
I'm
in
C,
plus
programmer
yeah
I'm,
using
the
cute
framework
and
I'm
involved
in
the
project
called
matrix.org,
which
provides
the
decentralized
communication
systems.
B
Nope
all
right:
well,
no,
not
everyone
needs
to
speak
up.
We
can
just
add
your
name
to
the
list.
If
you
don't
mind,
so
we
can
keep
track
of
who's,
contributing
I'd
appreciate
it.
B
So
a
couple
of
things
to
to
go
through,
and
then
we
have
any
other
business
and
any
other
notes
from
different
working
groups,
but
starting
off
with
a
couple
of
notes.
There's
the
ossf
Summit
in
Vancouver
in
May,
just
really
sort
of
raising
for
people's
awareness
more
than
anything
else,
but
also
you
know
is-
is
there
interest
in
getting
together
as
an
end
User
Group?
Whilst
people
are
out
there
or
first
of
all,
are
people
going?
I
am
three
four
four
and
a
half.
A
A
B
Cool
yeah
great
cool
I,
tried
to
do
that
in
London,
with
the
recent
state
of
Open
Source
I've
got
a
couple
of
people
interested
there
as
well.
That
would
be
cool,
so
so
I
guess
part
of
it
was
the
sort
of
notification
and
and
partners
sort
of
whip
up
initial
interest
in
maybe
getting
people
together,
for
perhaps
the
birds
of
a
feather
session
or
just
a
face-to-face
meeting,
certainly
drinks,
and
you
know
I-
guess
we'll
we'll
bring
it
back
up
as
we
get
closer
to
it.
A
A
End
user
day
cfp
is
not
closed
and
I
am
submitting
for
a
panel
of
end
users
for
that
and
I'm
also
I
think
going
to
be
on
a
panel
on
the
broader
event
and
we'll
obviously
pitch
the
end
user
working
group.
B
Very
cool
all
right.
Thank
you
very
much.
So
so
that's
that
one
next
one
on
the
agenda
is
the
national
cyber
security
strategy.
So
most
people
probably
aware
of
that
dropping
today,
again
more
of
a
public
service
announcement
that
that
is
a
document
that's
been
dropped
from
the
U.S
White
House.
B
It
looks
like
it's
got
quite
quite
a
lot
of
quite
a
lot
to
it.
I
mean
there's
it's
quite
a
detailed
document
and
I
think
it's
got
a
lot
of
ramifications
to
end
users,
particularly,
and
it's
quite
potent
and
I
think
to
this
group.
So
raising
again
for
information
purposes.
I
did
have
a
link
that
was
passed
on
to
me
there,
but
I
don't
have
a
link
to
the
actual
document
itself.
A
B
E
D
G
Yeah
so
I
guess
the
thing
that
was
interesting
to
me
from
the
Snippets
that
I've
seen
it
looks
perhaps
like
the
tragedy
of
the
digital
Commons
paper
has
had
some
impact
on
policy
maker
thinking
in
that
they're
sort
of
talking
about
the
allocation
of
responsibility
to
those
who
are
best
able
to
bear
it.
D
G
If
it's
fine,
I
haven't
read
the
full
thing
yet
so
I
don't
know
what
the
detail
is,
but
that
sounds
very
much
like
what
was
being
tragedy
of
the
digital
Commons
is
that
more
responsibility
needs
to
be
laid
at
the
vendors
who
package
and
redistribute
yeah.
D
B
Green,
so
I
I
think
that
is
probably,
as
people
start
to
digest
it.
We
should
I
mean
I.
Think
it'd
probably
be
another
good
topic
to
bring
up
next
week.
Some
of
the
ramifications
of
that
how
we
see
that
affecting
end
user
groups,
the
work
that
we're
doing
and
maybe
there's
worthwhile
getting
getting
together
and
figuring
out.
You
know
strategy
to
address
those
issues.
B
A
Should
I
think
wrap
in
the
whole
EU
CRA
into
that
also
because
in
in
essence,
it's
going
to
be
doing
exactly
the
same
thing
right
by
by
requiring
people
who
produce
or
sell
to
go
put
their
software
through
a
series
of
tests
to
provide
a
guaranteed
five-year
SLA
those
types
of
activities.
So
it's
going
to
do
the
same
thing
in
effect,
I
think
well,.
K
I
big
big
picture
to
drive
action,
I
think
so.
I
think.
The
strategy,
though,
is
a
much
better
way
to
approach
than
what
the
CRA
was
doing.
Of
course,
the
devil
will
be
in
the
details
of
how
the
implementation
comes
out,
but
I
think
I
think
the
approach
is
different
and
basically
that
the
summary
for
those
that
haven't
read
it
I
mean
there's
a
lot
in
there.
K
But
the
part
that
is
most
relevant
to
software
is
they're
basically
saying
we
want
to
change
contract
law
so
that
Euless
can't
as
a
first
step
disclaim
all
liability
we're
going
to
take
that
away,
and
you
have
to
earn
that
back
by
following
certain
Safe
Harbor
Steps,
which
would
be
defined
by
practices
may
be
defined
here,
also
within
cisa
right
and
so,
as
opposed
to
just
letting
everybody
do
whatever
and
have
no
downsides.
You
have
to
earn
that
back
and
there's
a
similar
set
of
words
for
people
who
I
think
they
call
them.
K
Not
data
custodians,
that's
right,
and
it's
a
similar
thing.
So,
basically
the
point
being
you're
going
to
be
held
responsible
if
you're
negligent
in
leaking
data
and
or
shipping
software.
That
has
problems
and
you
didn't
follow
best
practices
which
is
I,
think
a
very
different
approach
than
what
the
CRA
was
trying
to
do.
D
A
K
K
They're
putting
that
on
companies
not
on
the
open
source
producers.
That
specifically
says
the
responsibility
should
be
on
the
companies
not
on
the
end
users,
where
it
is
today
or
or
placed
on
open
source
Developers.
G
G
Yeah
they
can
reach
into
any
contract
and
change
it
and
if
they
think
the
public
is
served
by
it
and
I've,
usually
sort
of
given
that
warning
in
the
context
of
like
a
hypothetical
where
something
very
catastrophic
happens
and
legislatures
just
freak
out
and
and
upset
the
whole
thing
or
something
else,
I
was
going
to
say.
But
it's
Escape
me
now.
B
Is
there
any
suggestion
where
those
standards
or
best
practices
are
going
to
be
curated?
I
know
that
Cesar
was
roughly
mentioned,
but
that's
the
one
that's
interesting
to
me
in
that
yeah.
D
B
K
The
the
last
page
page
37
talks
about
the
implementation
and-
and
you
know,
there's
there's
a
lot
of
words
there
and
you
know
I've
had
time
to
think
about
this,
because
I
I
was
invited
to
see
an
early
draft
of
this
about
six
weeks
ago
and
in
my
mind,
I
think.
The
way
this
plays
out
is
there
will
be
a
number
of
different
initiatives.
You
know
because
they're
talking
about
software
liability,
they're
talking
about
cyber
Insurance,
there's
iot
there's
a
lot
in
this
big
picture,
but
I
think
what
happens.
K
K
You
know
collaboration,
which
is
exactly
what
that
NTI
process
would
look
like,
and
so
so
yeah
that
that's
how
I
imagine
this
will
unfold
and
I
feel
like
there
was
somewhere
in
there
where
it
referred,
both
as
an
example
of
the
safe
harbors
to
sisa
standards,
but
also
something
to
the
effect
of
other
industry
defined
best
practices,
which
could
be
read
to
mean
things
coming
out
of
the
OSS
like
salsa
c2cf
and
those
types
of
things
that
that's
how
I've
internalized
this.
B
B
All
right,
definitely
one
I
think
that's
going
to
be
a
big
Focus
for
a
lot
of
people,
so
some
some
good
reading
ahead
I
think
maybe,
as
people
read
through
it,
it
might
be
useful
to
start
putting
commentary
into
the
slack
Channel
I
know
we
don't
use
the
slack
channel
that
as
much
or
that
much
at
all
really
but
I.
Think
there's
gonna
be
a
lot
of
activity
over
the
next
couple
of
days
in
a
week
or
so,
rather
than
waiting
till
the
next
two
weeks
to
actually
discuss
it.
B
A
Think
that'd
be
helpful.
I
also
want
to
mention
one
thing:
while
we're
talking
about
this
I,
don't
know
how
many
of
you
are
planning
on
attending
the
pub
the
open,
ssf
public
policy
meeting
tomorrow
morning
that
is
going
to
so
there
is
a
period
There's
an
opportunity
now
for
us
to
submit
potential
amendments
to
the
CRA
and
the
public
policy
meeting
being
led
by
Intel
is
driving
this
activity,
and
so
they've
scheduled
I
think
a
90-minute
two-hour
meeting
tomorrow
morning
for
people
to
have
input
into
how
these.
A
What
these
amendments
look
like
how
they're
crafted
so
I
I
will
try
and.
D
A
A
It
was
just
decided
in
the
public
policy
meeting
this
Tuesday
and
so
I'm
sure
they
just
didn't
update
it.
So
I'll
forward
the
meeting
to
I'll
put
the
meeting
invite
in
this
working
group
in
the
chat.
So
let
me
go
find
that
and
put
it
in
here.
I.
L
Think
a
reason
might
be
that
the
public
policy
group
was
supposed
to
be
in
the
government
board
appointed
group
to
do
public
policy
kind
of
things
not
saying
that
you
shouldn't
share
it,
but
I
at
least
wanted
to
mention
that
if
somebody
has
an
opinion
on
that,
but.
L
I
think
originally
it
was
government
appointed.
It's.
L
A
I
Do
you
think
is
I'll
ping,
a
meat
right
now
and
hopefully
she
can
get
back
with
me
on
what
her
thoughts
if
we
can
make
that
a
wider
audience.
Just
give
me
a
couple
minutes
and
don't
ask
me
to
talk.
B
All
right,
thank
you.
Thank
you
very
much.
Okay,
that's
gonna,
be
interesting.
Thank
you
very
much
for
that
one
and
okay.
So
next
one
up
Andrew,
you
got
a
piece
about
the
the
vice
chair
and
recruitment.
A
Yeah
so
a
couple
of
things,
but
first
off
came
to
be
stepping
down
or,
as
the
vice
chair
of
the
end
user
working
group,
I
still
want
to
be
very
involved.
In
fact,
I'd
really
like
to
kind
of
Drive
membership
to
this
group.
The
reason
I'm.
Stepping
down
is
as
we
get
as,
as
this
group
has
matured
and
we're
beginning
to
get
to
into
developing
more
and
more
content.
I
simply
don't
have
the
cyber
security
background.
A
I
have
the
open
source
background
I've
been
an
open
source
for
over
20
years,
but
I
don't
have
the
cyber
security
background
and
don't
have
the
domain
expertise
to
contribute
to
a
lot
of
this
content.
So
I
think
this
group
deserves
someone
who
has
much
deeper
cyber
security
experience
to
drive
this
I
I
think
I
really
think
it
should
be
an
end
user,
given
the
the
the
nature
of
the
group,
but
I
wanted
to
throw
that
and
throw
that
out
there
I
do
want
to
throw
my
a
name
in
the
ring
here.
A
Someone
who
I've
seen
be
very
active,
but
it
doesn't
need
to
be
open.
I
think
Jack
could
be
a
great
number.
Two
for
this
for
this
group,
and
so
I
but
I
did
want
to
let
people
know
I'm,
not
stepping
down
from
the
group
I'm
really
I.
Just
I
would
like
to
frankly
focus
on
I,
think
I
can
add
value
on
around
driving
more
membership,
so
that's
kind
of
where
I'm
at.
B
Pretty
cool
thanks,
well,
I,
I!
Think,
as
you
say,
it
needs
to
be
open,
I
mean
so
I'd,
second,
that
for
Jack
good
man
you're,
you
know
I,
think
you
you've
been
here,
for
instance
in
the
very
beginning
and
huge
contribution
to
the
work
we're
doing
around
and
user
group
and
open
source
in
general,
so
I
definitely
second,
that
anyone
else.
B
B
I
Meet
said,
go
ahead
and
share
that
with
this
group,
that
will
be
fine.
Thank.
B
G
Question
yeah
I
was
I
was
thinking
of
elbowing
that
other
bloke
out
of
the
way
for
the
coronation.
G
G
You
very
much
yes,
thank
you
very
much,
I'm
I'm,
very
flattered
and
honored,
of
course,
to
to
take
on
the
position.
So
thank
you
all
for
your
support.
I'm
I'm
really
moved.
B
Awesome,
fantastic,
that's
great
great.
To
hear
and
Andrew
do
you
want
to
give
a
little
bit
more
color
to
the
the
sort
of
recruitment
Focus
you
said:
focus
on
recruitment,
I!
Think
that's
a
great
idea!
Yeah.
A
So
I
think
we
need
to
continue
to
to
recruit
new
new
members
to
this
group.
It's
always
good
to
have
new
new
blood
new
opinions,
New
Perspectives
people
who
can
actually
contribute
I
think
we
still
need
to
focus
on
obviously
on
end
end
users
I've
begun
to
build
a
pipeline
of
people.
I
want
to
want
to
reach
out
to
at
groups
who
at
end
users
who
who
are
members
yet
such
as
Uber
and
Boeing,
and
JP,
Morgan
and
and
entities
like
that.
A
A
We
need
to
broaden
that
I
think
and
maybe
in
EU
participants,
so
I'll
put
together
and
I'm
happy
to
to
have
people
work
with
me
and,
in
fact
need
others
to
participate
in
this
process
and
think
about
who
they
knew
know
and
who
they
can
help
us
reach
out
to,
but
happy
to
start
putting
together
a
list
of
targets
for
us
to
reach
out
to
I
think
we
should
use
the
Vancouver
event
as
as
a
recruiting
opportunity.
I
think
there'll
be
when
I.
A
If
you
look
at
the
other
foundation
events
that
are
happening
during
that
time,
there
will
certainly
be
a
lot
of
other
end
users
there
so
yeah.
That's
that
those
are
my
thoughts.
B
Yeah
great
one,
I
I
think
it's
really
positive.
We've
got
21
people
on
the
call
right
now,
so
there's
a
lot
of
people,
a
lot
of
interest
and
I
I.
Think
Andrew.
You
and
I
have
talked
to
many
many
others
and
a
lot
of
people
are
in
the
background
trying
to
feed
information
into
here
and
taking
the
sort
of
a
Content
way,
not
necessarily
A,
join
the
group.
B
So
I
think
what
we're
trying
to
look
at
is
trying
to
join
the
two
things
and
bring
people
closer
in
so
so
great
that
you're
able
to
focus
on
that
thanks,
Andrew
Dan.
H
I
was
just
gonna
mention
I'm
happy
to
help.
I
was
thinking
specifically
of
UK
government
since
I
have
some
ties
to
the
UK
government.
I
can
try
and
see
if
I
can
find
a
UK
government
participant
to
join.
This
call.
D
B
Really
good,
actually
thinking
about
that
so
do
I
I
talked
to
them
and
they
have
expressed
interest
to
join,
but
haven't
followed
up
on
that.
So
maybe
you
and
I
also
you
can
double
check
yeah,
let's
yeah,
all
good
fantastic!
Thank
you
right.
Next
item
on
the
agenda:
an
open
source,
consumption
Manifesto,
so
it's
some
work
that
I've
been
very
interested
in
seeing
from
from
suggested
from
Brian.
But
Brian.
Do
you
want
to
take
it
away?
Give
an
intro.
K
To
this
yeah
sure,
thanks
Jonathan,
so
so
Jonathan
and
I
have
been
kind
of
planning
to
write
content
for
what,
like
six
months
now,
and
just
like
at
least
six,
it's
like
September
and
and
life
and
other
events
and
everything
else
keep
getting
in
the
way.
K
But
back
in
November
or
so
I
I
dragged
Jeff
weyman
into
this.
To
help
me
actually
put
some
words
from
the
thoughts
combining
a
white
paper
that
Jonathan
had
written
and
and
leaning
heavily
on
some
of
the
learnings
that
came
out
of
the
Tahoe
event
that
many
of
you
were
at
in
in
the
all-day
board,
meeting
I
kind
of
got
on
the
soapbox
a
little
bit
and
said
you
know
we're
we're
all
talking
about
these
really
hard
to
solve
problems.
K
But
you
know
our
data
shows
that
96
of
the
time
people
just
make
bad
choices
because
they're,
the
the
fixed
version
is
already
out
there
and
so
talking
about
better
tools
and
better
education.
And
all
these
things,
while
important
for
my
data,
is
focused
on
solving
four
percent
of
the
problem
and
there
seemed
to
be
a
a
group
of
people.
K
That
kind
of
that
message
resonated
with,
and
so
we
were
trying
to
put
together
kind
of
a
a
cyber
sort
of
hyperbolic
call
to
action
to
sort
of
re-level
the
the
focus
a
bit
that
everybody
is
focused
on
this
four
percent
of
the
problem.
Can
we
shout
a
little
bit
to
try
to
get
people
to
focus
on
if
we
can
get
consumers
to
make
better
choices?
K
Now
they
can
solve
a
big
part
of
this
this
problem
and
it
doesn't
take
decades
for
the
next
generation
of
Engineers
to
come
along
and
for
everything
to
migrate
to
memory
safety
and
better
tooling,
like
literally,
if
people
stopped
downloading
the
vulnerable
version
of
log
per
J.
Today
that
matters
and
I
looked
I
haven't
looked
today,
but
last
week
that
number
was
still
at
29
of
the
time
people
are
consuming
the
log4j
thing
and
we're
now
what
14
15
months
passed.
K
So
this
is
what
I'm
saying
like
people
can
make
better
choices,
stop
eating
the
tainted
food.
Would
you,
and
so
so,
where
we
kind
of
iterated
towards
it?
How
do
we
get
this
message
out?
K
Is
we
we
thought
about
the
the
agile
Manifesto
which,
back
in
the
day,
was
a
bit
of
a
screed
to
basically
say
we
think
this
is
really
important
and
we
want
to
get
it
out
there,
and
so
that's
what
we're
trying
to
do
here
and
you
know,
I
I,
think
we
wanted
to
see
if
we
could
get
buy-in
to
more
this
group,
because
I
think
this
is
kind
of
the
the
right
group
that
represents
it
and
and
I
think
the
key
to
keep
in
mind
is
I
I,
don't
think
we
want
to
go
and
bike
shed
every
Super
detail
it.
K
Much
like
we
were
saying
about
the
cyber
security
strategy.
It's
a
call
to
action,
not
a
specification
and
a
list
of
every
single.
Damn
thing
that
you
need
to
do.
Those
things
are
being
defined
elsewhere,
like
salsa
and
c2cf.
I
think
we
just
want
to
highlight
this.
This
growing
problem
for
people.
So
that's
what
we're
trying
to
do
with
the
manifesto.
K
So
Jonathan
I
see
your
hands
up.
I'll
pass
it
back
to
you,
yeah.
B
Yeah,
just
just
just
to
really
add
to
that
right,
I
mean
it
was
quite.
It
was
quite
interesting
to
see
I
put
together
a
threat
model
of
a
sample
architecture
and
subsequently
we're
building
on
that
with
with
Henrik
and
the
rest
of
the
group
and
as
I
sort
of
Applied
like
the
last
seven
years
worth
of
exploit
data
in
a
fairly
abstract
fashion
and
Enrique
has
highlighted
that's
the
wrong
way
to
do
it,
and
you
should
use
a
taxonomy,
so
I've
learned
from
that.
B
But
you
know
identified
where
the
attacks
are
actually
coming
and
and
would
I.
You
know
present
themselves
to
the
architecture
in
and
realized.
There
is
a
huge
amount
of
that
on
the
consumption
part.
So,
whilst
is
Brian's
saying
we're
looking
at
really
looking
at
supply
chain
and
software
security
holistically,
there's
a
massive
outweighed
value
and
focus
on
that
consumption
piece
from
an
end
user
perspective
and
what
I'm
trying
to
do
what
I've
been
trying
to
do
is
try
to
get
that
message
out.
B
Talk
to
other
Industries
Enterprises
participants
just
to
see
just
just
make
people
aware
of
that
and
and
get
people
to
start
to
look
at
how
to
mitigate
that
particular
issue.
You
know,
as
Brian's,
saying,
there's
lots
of
different
things
that
we're
trying
to
do
here
as
a
group
in
as
other
industry
participants,
but
that
one
seems
to
be
one:
that's
really
super
super
important
and
and
Brian.
C
Yeah,
how
much
is
that,
actually
people
downloading
the
outdated
look
for
Jay
and
how
much
is
it?
The
outdated
scripts
cicd
manifests
and
so
on
and
so
forth.
So,
basically
something
that
is
already
codified,
written
and
the
machines
are
now
doing
the
work.
I.
D
K
I
would
assert
does
it
matter
because,
if
they're
continuing
to
build
that
thing,
they're
downloading
it,
presumably
because
they're
building
it,
which
means
they
haven't,
made
a
change
so
so
I'm
not
sure
that
distinction
matters
really.
C
Well,
the
distinction
is
based
on
the
fact
that
if
we
throw
a
Manifesto,
then
it's
aimed
at
people
how
much
this
can
be
addressed
by
additional
scanning,
maybe
even
blocking
out
certain
things
and.
C
So
I
I
totally
understand
that,
like
there's,
there's
a
social
part
in
the
technology
part
here,
I
wonder
if
we
did
everything
necessary
to
solve
the
technology
about.
K
Technology
exist
to
solve
this
problem,
and
sonotype
has
been
selling
it
for
10
plus
years
and
we're
not
the
only
one.
The
problem
is
organizations
we're
completely
ignoring
this
and
unprepared.
When
log4j
happened,
we
had
customers
who
remediated
their
entire
portfolio
of
tens
of
thousands
of
applications
in
days
and
then
the
rest
of
the
world
was
freaking
out
for
months,
just
trying
to
figure
out
where
we
use
log4j.
That's
kind
of
the
point
of
this
Manifesto.
Is
that,
like
you,
need
to
take
control
of
your
supply
chain
and
pay
attention
to?
B
Of
the
yeah
yeah,
thank
you,
I
think
you
had
your
hand
up
next
and
then
going
to
Jessica
yeah.
F
Yeah,
so
just
a
reflection,
maybe
a
to
be
a
bit
provocative
provocative
with
a
new
generative
models
like
chat
CPT,
which
generates
code
to
will
be
part
of
this
open
source
consumption,
because
I
think
people
will
start
using
this,
and
this
could
also
end
up
being
like
in
helping
you
to
write
vulnerable
code
and
oftentimes.
F
There
are
interns
writing
code.
How
would
you
tackle
this
into
the
consumption
Manifesto
for
for
this.
B
I
I
think
that's
kind
of
separate
I
think
my
view
sure
is
is
yeah.
You
can
see
that
as
potentially
a
risk,
but
this
the
the
Manifest
is
more
focusing
on
in
in
consumption
of
Open,
Source
software
and
known
vulnerable
or
malicious,
looking
open
source
software
and
getting
vendors
on,
and
consumers
of
that
software
to
at
least
start
to
look
and
put
the
shields
up
in
whatever
way.
That's
possible,
there's
multiple
different
technical
ways
of
doing
so,
but
sort
of
put
that
up.
B
D
J
Great,
thank
you
actually
I'm,
really
interested
in
this,
because
I've
been
working
on
something
and
I've
actually
shared
with
some
of
the
people
on
this
call.
That
has
a
tentative
working
title
of
a
secure
software
Covenant.
But
it
is
it's
partially
about
the
consumption
of
Open
Source
software,
but
it's
really
about
the
consumption
of
any
software
and
about
the
production
of
software,
and
so
I
was
wondering.
D
K
Spoke
to
Aaron
about
that
on
Friday,
because
I
knew
that
there
was
some
stuff
overlapping
there,
but
the
way
I
kind
of
think
about
it
is
sort
of
the
manifesto
is
kind
of
calling
for
Action
in
one
under
discussed
area.
The
Covenant
is
a
follow-up
to
that
that
would
that
balances
across
the
whole
thing.
So
the
manifesto
is
kind
of
saying
we
need
to
do
some
things
about
this.
K
E
J
No
I
can
see
them
being
really
complementary.
In
fact,
I
could
see
in
the
implementation
guide
for
The
Covenant,
referring
to
the
manifesto.
So
super
excited
one
more
question:
what's
what's
the
timeline
on
you,
making
this
more
public.
K
K
Coming
from
you
know
the
ossf
or
because
it's
aligned
with
the
mission
and
as
opposed
to
just
something
that
Jonathan
Jeff
and
I
write
in
the
corner
of
the
internet
somewhere
and
so
that
bringing
it
here
to
this
group
is
sort
of
an
attempt
to
kind
of
try
to
get
at
least
a
consensus,
if
not
perfect
agreement,
and
then
we'd
like
to
take
it
and
get
it
on
the
ossf
blog.
K
But
I
think
you
know
the
the
policy
around
that
right
now
seems
a
little
bit
ambiguous,
but
certainly
if
a
working
group
has
kind
of
looked
at
it
and
and
given
it
the
nod,
then
we
should
be
able
to
make
that
happen.
Yeah.
B
I
mean
just
that
it's
like
as
soon
as
we
can
really
right,
but
I
mean
it
and
it's
awful
I
mean
you
know,
I,
don't
think
the
blame
as
well
here
right
is
we've
been
trying
to
do
this
for
six
solid
months.
It's
just
other
things
have
gotten
the
way
and
and
I
think
we've
iterated
it
quite
a
lot.
But
it's
really
at
the
point
now
just
to
get
that
extended
feedback
to
see
you
know.
B
Is
there
something
that
people
agree
with
or
can
sort
of
refine
get
additional
support,
yay
and
push
that
forward
so
so
kind
of
as
soon
as
we
can,
but
realistically
in
the
next
couple
of
weeks,
sort
of
thing
would
be
would
be
my
proposal,
I
think
Jessica,
as
we've
said
before,
I
think
this
is
absolutely
complementary
to
to
the
great
work
that
I've
seen
coming
on
the
on
the
Covenant.
B
Absolutely
complementary
to
that
and
I
do
think.
This
particular
working
group
would
be
a
great
next
step
for
the
Covenant
too
right.
So
you
know
it's
not
like.
This
is
one
and
done
for
the
discussion
around
the
the
consumption
Manifesto.
Let's
maybe
bring
it
up
and
show
people
now,
but
we'll
be
back
next
week
to
talk
about
it,
I'm
sure
and
let's
talk
about
the
Covenant
also
at
the
same
time,
okay,.
J
Cool
I'm
gonna
copy
your
your
Mo,
then
thank
you.
B
B
M
So
I
think
this
is
a
a
fantastic
idea.
One
comment
I
have
because
what-
or
maybe
it's
just
to
say,
I
hope
we
take
some
time
with
this,
because
I
think
this
is
a
great
opportunity
to
not
just
talk
about
what
we
see
but
also,
what's
on
the
horizon.
I
think
that
we
have
an
opportunity
to
make
some
make
some
predictions
here,
whether
for
good
bad
or
for
for
good,
bad
or
or
indifference.
M
Some
predictions
that'll
that'll
help
us
forecast
issues
to
come,
otherwise
would
just
continuously
talking
about
the
same
wheel,
a
thousand
different
ways.
You
need
to
talk
about
how
that
wheel,
expands
different
spokes,
all
kinds
of
stuff,
I'm
more
than
willing
to
jump
into
the
conversation
and
put
my
two
cents
in
there
too.
M
Just
because
all
the
work
that
we're
doing
across
the
openness
and
stuff
and
I
mean
all
the
work
that
we're
doing
we're
doing
some
fantastic
things
and
we're
and
we're
getting
as
creative
as
possible,
but
I
think
this
stuff
that
happens
here
can
kind
of
tie
all
that
together.
If
we're
expanding
our
thoughts
and
it's
really
synthesizing
all
the
information
we're
taking
in
to
produce
something,
that's
that
can
live
and
breathe
for
years
come
something
that's
scalable
for
years
to
come.
M
So
that's
just
the
only
the
only
thing
I
want
to
throw
in
there
then
to
make
sure
that
when
we're
doing
this
is
not
quick
this
this,
this
type
of
Manifesto
can't
be
quick
because
we're
gonna,
we
have
the
potential
to
say
some
things
that
we
can
5
10
15
years
out,
say
hey!
This
could
happen
if
we
know,
if
we
don't
do
this
and
this
this
can
happen
right.
So
that's
something
I
want
to
throw
out
there.
Let's
take
our
time
with
it,.
B
Sorry,
jay
I
I
missed
your
Mr
hander,
because
I
assume
is
playing
up
and
I
can
only
see
the
pictures.
M
H
Hand
up
I
was
going
to
equip
that
we
needed
a
domain
name.
Obviously,
if
we've
got
a
Manifesto,
but
you
know
that's
a
great
idea
how
useful
that
is,
but
also
just
I
mean
I
agree
with
what
Jay
is
saying
about
predictions.
H
H
Having
been
involved
with
a
couple
of
other
technology,
manifestos
I
think
it's
valuable
to
put
a
stake
in
the
ground,
even
if
we
don't
feel
it's
completely
finished
to,
especially
if
we
want
to
be
making
the
point
that
openssf
can
be
a
great
place
to
build
these
standards
and
technologies
that
can
be
that
can
address
the
issues
that
have
been
raised
in
the
public
policy
statement
that,
as
we
were
talking
about
earlier
than
I,
think
it
could
be
a
good
opportunity
to
draw
attention
to
to
that.
So
anyway,.
B
If
I
can
go
next
and
then
see
to
Robert
I
I
agree
with
down
in
that
that
I
I
think
it's
one
to
iterate
on
right.
We
can
definitely
iterate
on,
but
my
concern
is
that
there's
a
real
growing
threat
that
I
see
in
this
particular
area
that
people
aren't
aware
of,
and
it's
really
raised
that
awareness.
B
You
know
I,
think
you
know
feedback
from
Jay
in
that
there's
a
lot
of
sort
of
forward
thinking
that
makes
complete
sense.
There
I'm
just
I'm,
just
concerned
about
how
long
we
can
wait,
because
when
I'm
talking
to
a
lot
of
different
Enterprise,
there's
some
consumers
that
they're
not
they
think
not
a
lot
of
people
are
picking
up
in
this.
We
are
in
a
little
bubble
here,
right,
I.
B
Think
a
lot
of
people
here
are
totally
aware
of
this
sort
of
stuff,
and
you
reach
out
to
a
couple
of
people
on
ossf
and
absolutely
lots
of
head
snotting
and
stuff.
You
start
to
reach
out
a
little
bit
further
and
people
just
don't
seem
to
grok.
What's
going
on
or
see
what's
coming
at
them
or
appreciate
that
there
are
Technical
Solutions
that
they
can
start
building
now,
even
if
they
write
it
themselves
to
start
to
make
some
of
these
fixes?
So
it's
really
trying
to
really
raise
that
awareness.
N
I
well,
I,
agree,
I,
agree
with
everyone,
but
but
at
the
same
time,
for
instance,
the
I
was
part
of
writing
the
the
get
UPS
principles
and
we
made
sure
to
version
it.
So
you
know
the
the
ghetto's
principles
as
of
right
now
is
version
one
total
so
that
it
could
be
kind
of
like
a
Midway
point
of
actually
having
a
versioned
manifest
that
could
then
get
updated,
but
at
the
same
time
get
it
out
quickly.
B
Good
goal:
I
wasn't
sure
whether
it
was
Shaq
or
Brian
next
Ryan's
next.
K
Yeah,
so
thanks,
yeah,
I,
I,
I
I
think
the
versioning
is
a
great
idea
and
just
to
reinforce
what
Jonathan
said
in
reaction
to
Jay
like
I.
Look
at
this
as
more
of
like
a
single
single
issue,
Manifesto,
as
opposed
to
the
whole
thing
and
I
think
that
that
can
be
useful
because,
like
I
said,
we
feel
like
this
is
an
area
that
doesn't
get
enough
attention
and
trying
to
make
it
too
big
and
do
all
the
things
well
that
that's
perfect,
being
the
enemy
of
the
good
one
and
two
for
everybody.
D
K
Here,
which
is
nobody's
really
paying
enough
attention
to
this
issue?
So
let's
lean
hard
on
that
issue
and
not
make
it
look
like
it's
trying
to
be
the
Covenant
or
you
know,
salsa
or
S2
c2f,
and
all
these
other
things
I.
Think
we
being
hyperbolic
in
one
issue
like
I,
said
how
well
we're
just
trying
to
level
the
playing
field,
we're
not
trying
to
say
that
this
is
more
important
than
all
the
other
things.
We
are
saying,
though,
that
it
can
have
as
a
consumer
a
more
immediate
effect.
You
don't
have
to
wait
and.
D
K
I
and
I
got
to
this
line
of
thinking
slowly
over
a
long
period
of
time
and
then
all
at
once
and
talking
to
people
who
were
like
yeah
that
s-bomb
thing
I'm
waiting
for
the
industry
to
produce
s-bombs
for
all
of
my
dependencies
and
until
that
happens,
I
can't
do
anything
and
I'm
like
oh,
my
gosh.
Are
you
serious
like
there
are
lots
of
tools
that
can
do
that?
There
are
free
tools
that
can
help
you
do
this
waiting
for
the
world
to
solve.
G
Check
yeah,
yeah
I
think
it's
a
great
initiative.
I
was
wondering
how
how
open
are
you
to
sort
of
like
wordsmithing
suggestions
in
terms
of
it,
because
I
I
agree
that,
like
a
good
Manifesto
has
a
generous
dollop
of
hyperbole
and
you
know,
reaches
there's
a
speed
trading
expression
reach
for
the
marble
yeah
that
that
I
I
would
I
would
love
to
try
and
pour
on
I.
K
G
K
D
G
A
good
Manifesto
is
either
yeah
is
either
short
or
long
with
a
single
message
yeah
and
like
the
the
two,
the
two
ones
I
think
of
as
sort
of
classic
manifestos.
It's
the
agile
Manifesto,
which
is
just
for
sentences,
basically
with
some
some
puff
around
the
edges
and
the
common
Communist
Manifesto,
where
it's
just
sort
of
like
meant
to
you,
know
motivate
I'm,
not
a
don't
worry
it's.
It's
meant,
it's
meant
to
motivate
this
action
right
and
it
tells
its
message
simply
and
and
and
sort
of
eloquently.
B
Trying
to
reduce
those
the
principles
like
you
know,
think
you
know,
there's
a
real
focus
on
that
I
think
wordsmithing
again,
100,
sorry,
I,
think
I,
agree,
I,
think
when
it
gets
to
the
point
of
well
it'd,
look
better.
If
we
added
this
I
did
that,
then
we
started
a
step
in
a
different
version
territory.
But
absolutely
you
know,
let's
change
the
language
I
mean
yeah.
K
The
draft
of
the
blog
too
I,
don't
think
I,
don't
think
that's
linked
out
there,
but
that
helps
provide
more
context
and
I
think
we
were
trying
to
find
the
right
balance
of
putting
the
explanation
for
it,
mostly
in
a
different
document,
to
keep
the
manifesto
as
tight
as
we
could
I
don't
know
if
we
struck
the
exact
balance,
but
there
is
an
another
piece
with
more
behind
this.
That's
how
we're
trying
to
separate
it.
A
Brian,
have
you
gone
through
the
the
Sterling
tool
chain
strategy
document?
That's
going
to
be
discussed
in
the
board
meeting
in
15
minutes.
A
K
A
Outcome
it's
the
kind
of
the
formal
outcome
of
what
was
what
we
all
discussed
in
that
meeting,
so
I
would
think.
I'll
I
can
send
this
around
to
some
folks
after
the
after
the
the
board
meeting
I
think
it's
worth
it,
because,
because
I
think
that
the
man,
the
manifesto,
is
obviously
a
a
longer
term
view
or
document,
but
for
for
this
next
year
or
so
this
the
Sterling
tool
chain
is
going
to
be
the
focus
of
openssf
right
they're.
A
Making
that
pretty
clear
in
this
document,
I
think
that'll
be
resolved
in
this
meeting
coming
up
so
just
like
to
see
how
that
plays
into
the
manifesto
I
think
there
can
be
some
alignment,
some
supporting
language
there,
but
it's
worth
taking
into
consideration.
I
guess.
B
Let's
absolutely
take
a
look
at
it,
but
but
I
think
that
the
point,
because
you're
right
I,
think
we
need
to
focus
on
the
Sterling
tool
chain
is
like
one
of
the
driving
focuses
for
ssf
in
my
viewing
as
a
governing
board
member
right.
I.
Think
what
the
manifesto
is,
though,
is
that
I
I
think
to
believe
Brian's
point
a
little
of
all
the
things
that
you
need
to
look
at
from
a
consumer
that
that's
probably
one
that
should
be
pretty
high
up
on
your
list
to
provide
that
benefit
right.
K
Yeah
and
if
we're
not
careful
in
our
messaging,
then
that
example
I
gave
around
people
waiting
for
s-bombs
could
then
become
well
I'm
waiting
for
the
ossf
Sterling
tool
chain,
which
we
know
is
not
happening
tomorrow
and
in
the
meantime,
dot
dot
dot
I'm
just
going
to
keep
on
using
the
broken
versions.
I
have
right
now
like
that,
would
be
a
tragic
outcome
and
and
I
think
that's
the
difference.
So
I
think
we
yeah.
B
All
right
we've
had
the
the
time
check
appropriate
time
check.
That's
one
of
the
one
of
the
things
we
need
to
we
need
to
perhaps
have
is
a
formal
position
within
the
group.
A
time
check,
expert,
look,
I,
think,
there's
been
a
healthy
discussion
about
the
manifesto
and
to
make
sure
that
do
we
distribute
it'd
be
great
to
get
feedback
from
that.
B
Looking
looking
at
the
agenda,
I
did
add
architectures
on
this
to
go
through
and
review
and
add
more
to
the
architectures
as
a
form
of
working
session.
The
reality
is
that
we've
got
10
more
minutes.
I
was
hoping
that
was
going
to
be
a
30-minute
session.
B
So
if
you're
happy
to
take
people's
view
on
this,
but
I
was
going
to
jump
over
that
save
that
for
the
an
ad
hoc
section
and
look
at
additional
notes
from
other
working
groups.
Is
that
reasonable?
Do
we
think
yep
excellent,
all
right?
So
assuming
there
are
notes
from
other
working
groups,
I
think
there's
already
a
list.
That's
been
added
to
the
email
chain
here.
Is
anyone
getting
any
notes
from
other
working
groups?
I
Mine
I'll
go
quick.
We
are
in
the
process
of
a
Tac
election,
so
I
put
some
details
in
there.
First
off
any
participant
within
the
open.
Ssf
is
eligible
to
vote,
but
you
need
to
register,
takes
about
30
whole
seconds
and
you
need
a
GitHub
ID.
So
I
would
encourage
everyone
to
follow
the
voter
eligibility
self-nomination
form.
I
Anyone
is
welcome
to
self-nominate
for
the
attack
itself.
So
if
you
think
you
would
like
to
participate
in
helping
steer
the
technical
direction
of
the
foundation,
there
is
a
form
to
fill
that
out.
That
does
not
take
30
seconds.
You'll
need
to
do
a
little
homework
and
pre-work
before
you
fill
that
out,
but
yeah.
Everyone
is
welcome
to
do
that
and
then.
Thirdly,
there
is
a
concept
of
the
security
Community
individual
representative.
That
is
also
up
for
election.
I
So
if
anyone-
and
this
is
generally
a
person-
that's
not
affiliated
with
the
governing
board
organization,
but
anyone
that's
interested
in
being
that
you
know
Community
representative,
that
is
also
being
up
for
nomination
and
election.
So
please
fill
that
form
out
if
you're
interested
in
that
and
then
I
have
the
dates
of
when
everything's
going
to
execute.
So
we
need
to
get
the
voter
registration
done
by
March
12th
and
then
they
will
send
out
the
they're
going
to
validate
everyone.
I
I
I,
don't
know
that
they've
shared
it
with
a
lot
of
the
and
the
other
working
groups.
I've
shared
it
with
all
my
working
groups
and
I
would
encourage
this
group
to
send
it
out
to
their
mailing
list
too.
I
And
then
my
other
item
is
an
action
item
for
Jonathan.
In
this
group,
the
end
user
working
group
gets
to
come
to
the
TAC
next
Tuesday
to
talk
about
all
the
amazing
progress
and
activities,
I
provided
a
link
to
the
template
that
we're
going
to
be
using
over
in
the
best
working
group
to
have.
We
also
we've
been
called
up
to
talk
so
feel
free
to
leverage
that
that's
the
format
the
tech
likes
to
see.
If
you
need
help,
let
me
know-
and
that
is.
B
B
G
Yeah,
just
a
quick
update
from
the
securing
software
repost
group.
We've
got
some
folks
who
put
up
their
hand
and
volunteered
to
prepare
the
the
sort
of
the
the
design
or
the
proposal
for
how
the
shared
repository
will
work
or
the
shed
like
metadata
and
samples
repository
that
we've
talked
about
in
this
group
and
other
groups.
So
SSR
is
taking
taking
point
on
that.
One
I
don't
have
a
fixed
timeline,
this
time,
everybody's
always
busy
as
We
Know
but
just
wanted
to.
Let
you
know
that
the
wheels
are
in
motion.
O
B
Sorry,
okay
comes
out
in
a
second
I
think
we're
rounding
out
in
a
little
note
any
other
working
groups
that
people
or
notices
that
people
want
to
bring
up.
O
Yes,
I
think
it's
just
like
two
or
four
weeks
ago
that
we
have
this
agenda
item
being
added
to
the
calendar,
to
work
on
this
architecture.
Right
and
so
I
wanted
to
know
whether
this
is
and
when
this
will
happen.
B
Yes,
it's
my
fault
I
reached
out
to
Khalil
kahil,
to
add
it
to
the
calendar
and
we
were
adding
it
to
the
calendar,
but
he
asked
for
additional
information.
I
didn't
have
time
to
follow
up.
So
that's
absolutely
on
me
and
I
I
will
ping
him
again
and
give
him
the
right
date.
B
It
was
just
some
of
the
stuff
for
the
internal
GitHub
thing,
but
it's
really
just
I
guess
now.
Is
there
any
particular
date
that
people
want
to
want
to
hold
that
conversation
on
architectures,
I'm,
pretty
flexible
and
probably
more
European
based
anyone
else,
thoughts
for
timing.
B
Should
we
go
for
a
12
o'clock
Sport
and
in
the
day
of
your
choice,
Jack.
G
But
you
know
in
terms
of
Europe
friendliness.
I
can
also
come
in
earlier,
depending
on
you
know,
depending
on
the
day,
but
most
days
are
good.
B
B
O
B
B
Not
at
all,
not
at
all,
we've
all
got
day
jobs,
many
many
day,
jobs
right
so
any
other
business
or
we
will
give
people
some
time
back
all
right.
So
a
couple
of
things
to
follow
up.
Everyone
I'm
sure,
is
going
to
read
that
document.
Let's
use
slack
to
feed
things
back,
have
a
great
end
of
the
week
and
weekend
and
thank.
H
You
very
much
and
sorry
just
to
clarify
on
the
manifesto
thing
it
it's.
The
document
I've
pasted
the
URL
to
that
document
in
the
minutes,
you're
looking
for
people
to
feedback
as
suggestions
or
comments
and
stuff
like
that.
This
is
current.
This
is
a
this
is
a
call
for
for
comments
from
this
group.
Yeah
yeah.
B
And
and
support
it's
not
just
a
commentary,
one
it's
a
yep
makes
sense
to
me.
I
would
support
that.
You
know
I,
don't
think.
We've
really
thought
about
how
we'd
track
that
necessarily,
maybe
you
know
a
comment
at
the
top
or
we
can
add
sort
of
signatories
at
the
bottom,
maybe
that
one
but
I
think
it's
really
a
course
of
support
as
well.
Does.
B
Yep
that
sounds
good
to
me
and
just
one
more
call
out
to
to
Jessica
for
the
the
Covenant
looking
forward
to
sort
of
getting
that
into
the
slack
as
well
in
catching
up
in
in
detail
in
the
next
next.